New Attack Piggybacks on Microsoft's Patch Service

Security experts have been predicting that virus writers would find a way to hijack Microsoft's security patch delivery process to slip their software onto users' computers. They were right.

Security researcher Frank Boldewin last week published a "proof-of-concept" program illustrating an attack technique he'd witnessed in March via an e-mail he received. The e-mail appeared to have been sent from a local Internet service provider in Germany. The file included with the message was designed to install a Trojan horse program on a victim's machine enabling other corrupt software to download.

BITS is designed to resume downloading an unfinished file even after a user restarts or logs off of Windows. As soon as the system restarts or regains Internet connectivity, BITS can pick up where it left off. Additionally, the sender can determine whether the entire file transfer completed successfully by setting a special code on the transfer.

The real danger is -- assuming the Trojan sneaks past a user's anti-virus software -- the user's software firewall likely would not detect the outgoing connection when the victim's machine starts downloading the second-stage payload. That's because BITS is a legitimate system service that the firewall would allow by default or the user long ago allowed it permanent access in and out a firewall.

I tried Boldewin's proof-of-concept code. It bypassed ZoneAlarm Free with ease, popping up this message: "If you see this message and your firewall hasn't alerted you before downloading and executing this code, the firewall bypassing worked successfully!"

Boldewin said this was the first time he'd seen this special BITS technique in malware, and asked Symantec malware analyst Elia Florio to test its originality. Symantec hadn't seen the technique used in any of the previous malicious software it had examined.

"It is a very unsuspicious way to download malware, because BITS is a legitimate technique," Boldewin wrote in an e-mail reply to Security Fix.

Hat tip to Symantec for the original report. The firm's blog entry notes that while this was the first instance of a BITS-enabled piece of malware it spotted online, "the BITS download method was already well-documented in the underground and was posted as an 'anti-firewall loader' example on a Russian forum during the end of 2006."

I disagree with Symantec's claim that "there's no immediate workaround against this type of attack." A piece of malware injecting itself into a trusted system process is not new or difficult to fortify against. On the first point, consider the "BackStealth Trojan" spotted in 2002. It worked by searching for several types of software firewalls that might be running on the victim's system and then using the firewall's own trusted process to download further components.

I should note that when I tried this exploit on a Windows XP system running under a limited user account, the attack did not succeed. So if you set up your Windows XP or 2000 machine to run under a limited account, even if you inadvertently download a Trojan, it is very unlikely that it will be able to finish its job.